docs(ingestion) glue: document required IAM permissions (#3929)

datahub-project · Feb 7, 2022 · 782e66f · 782e66f
1 parent 63bc830
commit 782e66f
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/metadata-ingestion/source_docs/glue.md b/metadata-ingestion/source_docs/glue.md
@@ -38,6 +38,37 @@ sink:
   # sink configs
 ```
 
+## IAM permissions
+For ingesting datasets, the following IAM permissions are required:
+```json
+{
+    "Effect": "Allow",
+    "Action": [
+        "glue:GetDatabases",
+        "glue:GetTables"
+    ],
+    "Resource": [
+        "arn:aws:glue:$region-id:$account-id:catalog",
+        "arn:aws:glue:$region-id:$account-id:database/*",
+        "arn:aws:glue:$region-id:$account-id:table/*"
+    ]
+}
+```
+
+For ingesting jobs (`extract_transforms: True`), the following additional permissions are required:
+```json
+{
+    "Effect": "Allow",
+    "Action": [
+        "glue:GetDataflowGraph",
+        "glue:GetJobs",
+    ],
+    "Resource": "*"
+}
+```
+
+plus `s3:GetObject` for the job script locations.
+
 ## Config details
 
 Note that a `.` is used to denote nested fields in the YAML recipe.